SURVIVABLE C2 // DENIED-ENVIRONMENT MESSAGING
No server to seize. No data center to strike. No way to shut it down.
DeadDrop is survivable command and control. It carries end-to-end encrypted messages peer-to-peer across the Bitcoin Lightning Network, the same rail that moves value. An operator alone in denied territory can reach command in seconds over a single satellite uplink, with no central facility for an adversary to jam, strike, or seize.
OPERATIONAL ON BITCOIN MAINNET
THE PROBLEM
Centralized command can be jammed, struck, or erased. Teams, Mattermost, and Signal all route through central servers, so the infrastructure that carries the message is the infrastructure an adversary targets first. Under denied, degraded, intermittent, and limited conditions, that dependency is the failure point. DeadDrop removes it. Every operator runs their own node and their own local relay, so there is no shared server anywhere in the path to jam, strike, or seize.
| Capability | DeadDrop | Signal | Mattermost | Teams |
|---|---|---|---|---|
| End-to-end encrypted by default | ||||
| No shared server in the delivery path | ||||
| No central facility to strike or seize | ||||
| Holds for the operator under denied or degraded links | ||||
| Tamper-evident, Bitcoin-anchored delivery receipts | ||||
| Identity rooted in an on-chain trust anchor | ||||
| Self-hosted, on-prem deployable |
HOW IT WORKS
DeadDrop seals every message to the recipient's key and delivers it over the most resilient path available. The primary path is a direct peer-to-peer keysend that carries the sealed message inside a one-satoshi Lightning payment from one node to another, moving traffic directly between agencies and operators in the field. When a direct path is unavailable, the system steps down to a backup path automatically, holding the message in the operator's own local relay until a link returns. Every component runs on hardware the operator controls, and the content stays sealed end to end on every path.
WEBGL ANIMATION MOUNTS HERE
01
Each operator runs a self-hosted Lightning node and a local relay on compact hardware. Nothing has a public IP and nothing accepts inbound traffic from the internet.
02
The client encrypts the message to the recipient's identity key. The private key is generated and held by the client and never crosses the wire.
03
The sealed envelope rides a one-satoshi keysend node to node across the network, carrying traffic directly between agencies and operators. No shared server sits in the path. If the direct link is gone, delivery steps down to a backup that holds the message in the operator's own local relay until a link returns.
04
The message hash is committed to a Bitcoin block, producing a tamper-evident record of delivery.
CAPABILITIES
No shared infrastructure carries the comms. Every operator runs their own node and relay, so there is no data center to jam, strike, or erase. The goal path is a direct link between operator nodes.
When the direct path degrades, the system steps down to a backup automatically and holds each message in the operator's own local instance until a link returns. Communication between agencies and operators survives denied, degraded, and intermittent conditions, and low-bandwidth links carry it.
Every message and file hash is anchored to a Bitcoin block. Delivery produces an immutable receipt, and operators can export a signed transcript.
Messages are encrypted to the recipient's identity key. The relay and the Lightning hops carry ciphertext only. Keys are held by the client and never cross the wire.
Identity is bound to a public key by an on-chain trust anchor, not trust-on-first-use and not a phone number. Proof-of-possession stops a caller claiming a key it does not hold.
Every operator self-hosts the full stack, node and relay, on compact hardware with no public IP. Live telemetry shows link status, hop count, latency, and channel balance.
OPERATIONAL DETAILS
FILE TRANSFER
Files split into hash-sealed chunks that transfer over low-bandwidth, intermittent links. The file is encrypted on the client, the operator's own relay holds ciphertext only, and the key rides sealed inside the message. The plaintext hash is anchored on Bitcoin, so a delivered file is tamper-evident.
ECONOMICS
Channel capital is parked and recoverable. Each message cycles a single satoshi between the operator's own nodes, so traffic nets to zero. The only real cost is a small Bitcoin network fee at three moments: opening a channel, closing it, and anchoring a receipt.
DEPLOYMENT
DeadDrop runs in the Azure Government cloud on infrastructure aligned to DoD Impact Level requirements. Every message is end-to-end encrypted and the client holds its own keys, so the system is built to move through an Authority to Operate with a sponsoring component.
IN THE FIELD
Drop an operator into territory that blocks all internet access. With DeadDrop and a satellite uplink, they reach command in seconds, every message sealed end to end, every delivery anchored to a Bitcoin block, and no infrastructure an adversary can reach.
We walk through the threat model, the node hardware, the delivery model, and a live demonstration of messaging across a network with no center. Bring the environment you need to operate in.